# Release Hardening Checklist

This checklist is the final validation gate before shipping security and mobile API changes.

## 1) Pre-Release Validation

- [ ] Confirm target branch is up to date with `master`
- [ ] Verify no unintended files are staged (`git status --short`)
- [ ] Confirm release notes summarize risky changes (authz, API contracts, caching)

## 2) Automated Checks

Run from repository root:

```bash
npm run typecheck:admin
npm run typecheck:mobile
npm run test:admin
```

Run mobile API-focused tests:

```bash
cd apps/mobile
npm run test -- src/api/__tests__/gyms.test.ts src/api/__tests__/recommendations.test.ts src/api/__tests__/notifications.test.ts
```

## 3) Admin Security Spot Checks

- [ ] Verify non-admin receives `403` on privileged routes
- [ ] Verify unauthenticated requests receive `401`
- [ ] Verify cross-gym actions are denied for non-superAdmin
- [ ] Verify `DELETE /api/users` blocks self-delete for admin users
- [ ] Verify recommendation approval derives approver from auth context (not request body)

## 4) Mobile Functional Smoke Checks

- [ ] Sign in as User A and load tabs/profile data
- [ ] Sign out and sign in as User B
- [ ] Confirm no User A data remains in goals, hydration, nutrition, stats, recommendations, notifications
- [ ] Confirm onboarding gym selection and profile save flow still succeed
- [ ] Confirm notifications load and unread count updates after read/delete actions

## 5) Rollback Plan

If release incidents occur:

1. Revert the release commit(s) from newest to oldest.
2. Redeploy reverted build.
3. Validate authentication and onboarding flows.
4. Post incident note with root cause and follow-up action.

Suggested rollback command pattern:

```bash
git revert <latest_commit_sha>
git revert <previous_commit_sha>
```

## 6) Deployment Record

Capture this in PR/release notes:

- Release date/time:
- Release owner:
- Commits included:
- Validation commands run:
- Known caveats (if any):